Abstract
Providing access to electronic resources is a core service for most libraries, and for more than two decades librarians have used Internet Protocol (IP) addresses as a way to authenticate users and prove they should have access to their institution’s licensed materials. But in recent years, IP addresses have become a less accurate method of determining whether a user is affiliated with a particular library. Key players in the publishing industry and academia are working together on a new set of protocols to replace IP authentication called Resource Access for the 21st Century, or RA21. This column will briefly explore what RA21 is, what problems it purports to solve, and what problems it may create. A list of resources for further reading on RA21 is provided.
Introduction
Providing access to electronic resources is a core service for most libraries, and for more than two decades librarians have used Internet Protocol (IP) addresses as a way to authenticate users and prove they should have access to their institution’s licensed materials. IP addresses are unique numbers assigned to an individual computer, identifying it to other computers on the internet. Larger institutions can route their internet traffic through a small number of addresses, meaning thousands of users at an institution may be using the same IP to access information. In recent years, IP addresses have become a less accurate method of determining whether a user is affiliated with a particular library. Users have become more mobile and are working from multiple locations and devices; their IP address at any given moment may not correspond to their institution. Virtual private networks and proxy services have offered some solutions to these issues, but they are complicated to manage and have their own issues. IP address authentication is also vulnerable to spoofing and piracy. Key players in the publishing industry and academia are working together on a new set of protocols to replace IP authentication, calling this initiative “Resource Access for the 21st Century,” or RA21. This column will briefly explore what RA21 is, what problems it purports to solve, and what problems it may create. A list of resources for further reading on RA21 is also provided.
What Is RA21?
RA21 is not a new technology or product; it is a task force working to develop new standards for authenticating users using existing technologies. The project is a joint venture of the National Information Standards Office (NISO) and the International Association for Scientific, Technical and Medical Publishers (STM). Their stated goal is
optimizing access protocols across key stakeholder groups, including (but not limited to!) publishers, librarians, campuses, vendors, and identity federation operators, with a goal of facilitating a simple user experience for users of scholarly information resources.Citation1
RA21 is working with representatives from these groups to develop standards and best practices for authenticating users in a uniform and seamless way across multiple platforms. The group has developed a model based on Security Assertion Markup Language (SAML), which is a system for institutions to federate authentication. In a typical transaction, when users request access to licensed materials, a publisher can ask them to identify their home institution. After the users select their institution, the publisher contacts the institution’s Identity Provider (IdP) service and asks it to authenticate the user. The IdP will check if the users are already known and ask users to log in with their institutional credentials if they are not. Once the IdP has verified the user, it will send a message back to the publisher stating the user is authorized and passing along selected information about the user.Citation2 Because this is a standardized and federated system, users will only need to authenticate once per session; if they visit another publisher site during the same session, their home institution will already be selected, and the IdP system will have already authenticated them. This means users will not need to log in over and over again and will not need separate user names and passwords for each resource.
Pilot studies using this SAML methodology were conducted in pharmaceutical industry and academic settings in 2018, with mostly positive results.Citation3 Widespread testing has not been conducted, and as more librarians become aware of what RA21 will mean for their institutions and users, more issues will likely emerge.
What Problems Does RA21 Solve?
The RA21 group wants to replace IP address authentication as the standard for access to licensed resources.Citation4 There are several good reasons to consider replacing IP authentication: It works seamlessly and invisibly when users are on campus and using an institutional IP addresses. Users request a resource, the publisher confirms their IP address is in a licensed range, and the resource is presented to the users, all without additional usernames, passwords, or other authentication. But IP authentication quickly breaks down when users are off-campus or using a noninstitutional IP address. Proxy services such as EZProxy and Virtual Private Networks (VPNs) can make it appear that users are on campus, but the extra steps needed to use these tools are often more trouble than users are willing to go through to access library resources. Proxies and VPNs have other issues; if users find a journal article using an internet search engine rather than the library website, the publisher has no way of knowing the user should have access. In order for proxy and VPN access to work, users must access library resources via specially constructed links on the library website.
Proxy services are also becoming less acceptable from a security standpoint; they mimic a “man in the middle” attack.Citation5 As more internet traffic is encrypted via https, proxy services will require more upkeep and maintenance, including managing SSL certificates. This level of complexity may be difficult for smaller institutions to maintain.
Proxy services are also one of the main vectors for article piracy.Citation6 Compromised proxy login credentials can lead to thousands of articles being downloaded in a very short amount of time.Citation7 Publishers would welcome the additional control that RA21 offers in shutting off access to individual compromised or abusive accounts. In current IP authenticated systems, publishers can only turn off access for an address, not an individual user. They must rely on staff at the licensing institution to trace the individual user and resolve the issue. In an RA21 system, publishers would have the ability to deny access to individual users and respond to potentially compromised accounts much more quickly. This would be an advantage for librarians as well, since shutting off access for an entire institution due to one offender is less than ideal. Provided there is a clear path to reinstate user accounts that have been mistakenly disabled, this feature could benefit everyone.
Transitioning to an RA21 system would also provide a more uniform experience for users. Whether they use the library website to find a journal title or Google an article title and arrive at the publisher’s page, their workflow would be the same: choose their institution from the list, log in with their institutional credentials, and be granted access. Hinchliffe notes that once the user is logged in, the login should be persistent for that session and carry over between different participating publisher sites.Citation8
RA21 systems also have the potential to provide better and more granular usage data. IP authentication can only give raw counts of access, but RA21 would allow for count use to be attributed to specific groups and individuals.
What Problems Does RA21 Create?
While RA21 may solve some issues created by IP authentication, it also creates several new issues, particularly for smaller institutions. SAML and IdP systems are complex and require expertise to set up and maintain. Large institutions are able to support the expense and labor involved with maintaining these systems, but this is a major undertaking for smaller institutions. There must also be a cultural willingness at the institution to want to provide authentication services. As Michelle Kraft noted in a recent blog post about RA21, hospitals in particular do not want login credentials used anywhere outside their institution.Citation9 Convincing an extremely risk-averse information technology (IT) department to set up and maintain an IdP system will be a tough sell. Smaller publishers will also be burdened by this change since they will need to substantially change their current authentication systems.
Another problem with RA21 is user privacy. IP authentication maintains at least some level of user anonymity.Citation7 Publishers do not know anything about the user, and librarians need to dig through logs to pair a specific user with a specific article request from an IP address. But SAML and IdP verify individual users to a publisher, and although what information about the user is passed to the publisher is completely in the control of the institution, there are likely to be issues with user data being shared that should not be. Passing email addresses or phone numbers to a publisher could lead to unwanted solicitations, and if the IdP is configured to contain more sensitive data such as Social Security numbers or addresses, there is a real risk of a data breach.
RA21 also presents publishers with an opportunity to profile researchers and show them things based on their previous activity. While this is normal and even expected in a retail environment, it may not be as helpful in a research context. If researchers are shown content based on their previous searches, these systems run the risk of creating “filter bubbles,” where publishers prioritize content they believe the researcher wants, rather than what the researcher is actually trying to find.
Further Reading on RA21
The following resources explore RA21 in more detail:
RA21: Resource Access for the 21st Century: <http://ra21.org>
Home page of the RA21 initiative. Contains news, FAQs, and information on getting involved or sharing feedback with the group.
RA21 Pilot Reports: <https://ra21.org/index.php/results/>
Reports on the corporate and academic pilot programs or RA21 that were completed in 2018.
Understanding Federated Identity, RA21 and other authentication methods: <http://musingsaboutlibrarianship.blogspot.com/2017/12/understanding-federated-identity-ra21.html>
Aaron Tay provides an in-depth description of how federated identity systems work and how they may affect libraries.
Myth Busting: Five Commonly Held Misconceptions about RA21 (and One Rumor Confirmed): <https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/>
Three members of the RA21 task force address concerns raised by librarians about the changes that RA21 would bring to libraries.
Conclusion
The RA21 initiative has a stated goal of replacing IP authentication systems, which are currently in widespread use, well-understood, and easy to maintain. While there are clear advantages to the proposed new RA21 system, IP authentication is an established standard, and there will likely be a great deal of resistance to losing it. Librarians should familiarize themselves with the basics of RA21 and federated authentication systems. They should also work with their local IT department and explore whether their institution already has an IdP system that could be leveraged for RA21. Librarians may want to discuss RA21 with their current vendors and determine if they are planning to move toward non-IP authentication. Now is the time to raise concerns about ease of access and what problems federated authentication may cause. If RA21 moves ahead, librarians will want to be involved in every step of setup and maintenance to ensure their users are protected from potential privacy issues and that access is as seamless as possible. The death of IP address authentication is not inevitable, but it appears more and more likely, and librarians need to actively advocate for the best possible replacement system that preserves ease of use and protects user privacy.
Notes on Contributor
Matthew B. Hoy, MLIS, AHIP ([email protected]) is Associate Director of Libraries, Mayo Clinic, 200 1st Street SW, Rochester, MN 55905.
References
- “FAQ – RA21: Resource Access for the 21st Century.” Accessed October 27, 2018. https://ra21.org/index.php/what-is-ra21/faq/.
- Lewis, Kelly D., and James E. Lewis. “Web Single Sign-On Authentication Using SAML.” ArXiv:0909.2368 [Cs]. September 12, 2009. http://arxiv.org/abs/0909.2368.
- “Results – RA21: Resource Access for the 21st Century.” Accessed November 3, 2018. https://ra21.org/index.php/results/.
- Carpenter, Todd, Heather Flanagan, and Chris Shillum. “Myth Busting: 5 Commonly Held Misconceptions about RA21.” The Scholarly Kitchen. February 7, 2018. https://scholarlykitchen.sspnet.org/2018/02/07/myth-busting-five-commonly-held-misconceptions-ra21/.
- Hellman, Eric. “The Shocking Truth About RA21: It’s Made of People!” Go To Hellman (blog). May 18, 2018. https://go-to-hellman.blogspot.com/2018/05/the-shocking-truth-about-ra21-its-made.html.
- Hoy, Matthew B. “Sci-Hub: What Librarians Should Know and Do about Article Piracy.” Medical Reference Services Quarterly 36 no. 1 (January 2017): 73–78. https://doi.org/10.1080/02763869.2017.1259918.
- Guajardo, Richard, Don Hamparian, and Peter Katz. “Partnering with Vendors to Limit Compromised User Accounts.” The Serials Librarian 74, no. 1–4 (May 31, 2018): 119–127.
- Hinchliffe, Lisa. “What Will You Do When They Come for Your Proxy Server?” The Scholarly Kitchen. January 16, 2018. https://scholarlykitchen.sspnet.org/2018/01/16/what-will-you-do-when-they-come-for-your-proxy-server-ra21/.
- Kraft, Michelle. “Medlibs Needs RA21 on Their RADAR.” Krafty Librarian. April 27, 2018. http://www.kraftylibrarian.com/medlibs-needs-ra21-on-their-radar/.